Add a 'source-root' input to the init Action #607
Conversation
This input is exposed in the CodeQL CLI as the flag --source-root, allowing
users of the CLI to set --source-root different from --working-dir. However,
in codeql-action, these two paths are conflated and it poses problems for
users with complicated build environments, in which a source root may be
a child of the working directory.
Most users should not notice this, as the default value is
${{ github.workspace }}, as it is implied now (`path.resolve()`).
In the previous commit, the default value of the input is ${{ github.workspace }}
which means that most uses of this input would probably prefix their paths with
${{ github.workspace }}, especially since actions/checkout's 'path' input
must be under ${{ github.workspace }}. Therefore, it doesn't make much sense for
this to be an absolute file path.
Instead, it's more intuitive to make this relative to the repository.
It causes the action to break (or rather that context being unavailable causes it to fail), despite it being in the description field.
init/action.yml
Outdated
| @@ -38,6 +38,9 @@ inputs: | |||
| description: Try to auto-install your python dependencies | |||
| required: true | |||
| default: 'true' | |||
| source-root: | |||
| description: Path to the root source-code directory, relative to the workspace. | |||
There was a problem hiding this comment.
I saw you had trouble using ${{ github.workspace }} in the description. In https://github.com/actions/checkout/blob/main/action.yml they use $GITHUB_WORKSPACE and it appears that
default: ${{ github.workspace }}
is also allowed.
There was a problem hiding this comment.
Yes, it is. That was in my first commit, but when I actually started to use it in my test, I found it inconvenient to always have to specify a ${{ github.workspace }} prefix. Hence, why I made it relative to the repo in subsequent commits.
There was a problem hiding this comment.
I'm worried there are two usages changed within the runner but only one in the init-action. It looks like there's a use of getRequiredEnvParam("GITHUB_WORKSPACE") passed to initConfig in init-action.ts that also needs changing.
Although, I'm actually not sure that changing the calls to initConfig is the right thing to do. This will change how local queries are resolved and I'm not sure if that is intended or not.
In general it depends how this option will be used. Is it for when you want to analyze the whole repository but the repository is checked out to a non-standard location? If so then this change looks good to me (minus my comment above). If instead the intention is to be able to analyze only a subdirectory of a repository, then I think this may need deeper thought to know if this will work or not.
Finally, what manual testing has been done of this? Have you tried running it in a workflow.
|
To follow on from my comment above, looking at how it works in |
I think we should not change |
I've now come around to the other way of thinking. I think we should change
What does "path to the source files" mean? Is that the root of the github repository, or a subdirectory within a repository? When talking about relative paths in the SARIF output we need those to be relative to the root of the repository, don't we? If not then showing files in the code scanning UI will not work. |
Yes that's right. It should be the path to the root of the github repository being analysed, or perhaps more precisely the repository to which the SARIF file will be uploaded. The use-case for this feature is for complex build setups that for example require a bunch of repositories (the repo to be analysed an its dependencies) to be checked out in a particular folder hierarchy that does not match the |
I think there is no such thing as "the checkout path". A user can organise the workspace folder structure in any way they like either by configuring |
Yes, I deliberately did not change
Yes, exactly, which, admittedly, is a minor use-case, but one that I have seen already and one which is supported in the CLI with the
My intention was not to replace
|
|
@mario-campos, sorry for the confusing comments above. You can likely ignore my comments and go with what @aibaars says. We had quite a long chat on this and I think we're now on the same page with this, so you can ignore anything contradictory that I said earlier. |
Previously, I had tried to refer to '${{ github.workspace }}', but that caused a problem in Actions. Trying to avoid the issue, I changed this to "the workspace," but this gives up quite a bit of specificity.
Co-authored-by: Arthur Baars <aibaars@github.com>
Thanks to @aibaars, `path.resolve()` should will nicely handle more use-cases, namely absolute paths better than `path.join()`. Co-authored-by: Arthur Baars <aibaars@github.com>
CHANGELOG.md
Outdated
| @@ -2,6 +2,7 @@ | |||
|
|
|||
| ## [UNRELEASED] | |||
|
|
|||
| - The `init` step of the Action now supports a `source-root` input to be able to specify a path under the GitHub workspace to be the root source-code directory. [#607](https://github.com/github/codeql-action/pull/607) | |||
There was a problem hiding this comment.
Could we mention that the default is the $GITHUB_WORKSPACE root?
This addresses @adityasharad's suggestions in PR #607.
|
Yes, I can add tests. Where would I do that, though? I don't see a test file for init.ts. |
|
Hmm good point, we don't seem to have unit tests. Perhaps another test job in |
This config file 'ought to have some queries good for testing!
|
Huh. Any idea why a source root would be considered invalid (aside from it not existing)? |
.github/workflows/pr-checks.yml
Outdated
| run: | | ||
| mkdir ../action | ||
| mv * .github ../action/ | ||
| mv ../action/tests/multi-language-repo/{*,.github} . |
There was a problem hiding this comment.
I suspect this is the problem: it will move all the contents of multi-language-repo into the current directory, and not preserve the tests/multi-language-repo enclosing directories.
One option to try might be to avoid these moves entirely, and set source-root as you've done below. The moves are needed for other tests because they scan the entire repo from the workspace root, but the whole point of source-root is to customise that behaviour.
There was a problem hiding this comment.
Good call. That makes sense.
.github/workflows/pr-checks.yml
Outdated
| mv ../action/.github/workflows .github | ||
| - uses: ./../action/init | ||
| with: | ||
| config-file: ".github/codeql/codeql-config-packaging.yml" |
There was a problem hiding this comment.
I think you may be able to remove this, and keep the test focused on only the source-root feature.
The test is not related to packaging. Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
Moving the files into ../action was causing the job to fail because it couldn't find the test directory anymore. According to @adityasharad, these 'mv's should not be necessary. Removing these means changing the path to the actions. I'm also removing the 'config-file' input to keep the test minimal. I think this will mean that CodeQL will use the default query suite, so I hope that this doesn't change the results.
…tion into source-root-input
As this test is using only JS, it's not necessary to compile or analyze the other languages.
This is for PR #607, 'source-root' input test case.
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
This addresses @adityasharad's suggestions in PR github#607.
This is for PR github#607, 'source-root' input test case.
Merge / deployment checklist